Malware Watch: Free Mac OS X screensavers bundled with spyware

Malware Watch: Free Mac OS X screensavers bundled with spyware

Summary: Researchers from Intego have discovered the OSX/OpinionSpy spyware in 29 free Mac OS X screensavers currently online at 7art-screensavers(dot)com. Upon execution it sends data about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data.

SHARE:

Researchers from Intego have discovered the OSX/OpinionSpy spyware in 29 free Mac OS X screensavers currently online at 7art-screensavers(dot)com.

According to the company's security alert, despite the fact that the "market research" program also known as RelevantKnowledge, claims to collect only browsing and purchasing information, a deeper investigation reveals a much more intrusive approach.

More details on what the spyware does once it's executed, and the list of the screensavers bundled with it:

  • It opens an HTTP backdoor using port 8254
  • It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)
  • It regularly sends data, in encrypted form, to a number of servers using ports 80 and 443. It sends data to these servers about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much more
  • If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.

The authors of these screensavers have bundled the RelevantKnowledge application within the installation process, which naturally cannot continue unless the user accepts the EULA describing the program as the "Trees of Knowledge".

The RelevantKnowledge spyware/adware app, is a well known Windows based pest, with a surprisingly high number of people still willing to install it, in order to access the freeware application used as the lure. The risks involved? Excluding the intrusive, spyware-like practices of the application, in 2006, several researchers discovered a remotely exploitable flaw within the application, allowing anyone to perform keylogging and monitoring of active windows content on every host running it.

Clearly, the people attempting to monetize their screensavers using RelevantKnowledge, are not just borrowing tricks from the playbook of the Windows malware author, using the ubiquitous "freeware application" as a lure, but have ported the spyware to Mac OS X.

The screensavers' site, as well as the MishInc FLV To Mp3 application remain online. Considering the fact that it's only a matter of time until they rebrand these applications, in between switching to new layouts, it's worth emphasizing on the fact that, there's no such thing as a free screensaver unless it's bundled with something malicious these days.

Mac OS X malware (New Mac OS X malware variant spotted; Mac OS X SMS ransomware - hype or real threat?) is no longer an urban legend, and neither are the remotely exploitable flaws targeting Apple's OS, or the third party apps/plugins running on it.

Google ought to know better.

What do you think? Talkback.

Topics: Operating Systems, Apple, Hardware, Malware, Security, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

50 comments
Log in or register to join the discussion
  • ROFLMAO!!!!

    I would like someone bring this to Apple's Genius bar and tell me what they are told to rebuke this.
    Maarek
    • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

      @Maarek - they will say "Just use noscript and block those Flash games". They're pretty much parrots in those stores.

      As a Mac user myself, I appreciate the article.

      That and my antivirus software did pop up a warning (phishing attempt) earlier today, so more hackers are incorporating Mac-centric holes... given the various claims of PWN2OWN with OS X going down all the time thanks to hackers, I hope Apple stops being LAZY and fixes their products...
      HypnoToad72
      • Kernel Hooks (like Aimbots)! :O ....are Beasts!!!

        @HypnoToad72 These are unrelated to FLASH or Browsers, but yes I get your point about Apple!

        The way these work is truly diabolical. The code just sets there like a virus, until the screen saver is running. Then you can't get to your desktop to discover them. In the meantime while it's activated in Apple's runtime, it accesses any running browser or web application for info that is then sent off to their data collection center.

        Deactivate the screensaver.... it stops. They work on the same principles of Hooked Aimbots in Games and are completely undetectable. Except by packet sniffers or a good solid Firewall set to block the particular port they're using.

        What I mean is let's say you're playing Battlefield II or Unreal Tournament (known for aimbots) and you are getting killed and not able to kill anyone else. You can download or buy certain "Kernel Hooked Aimbots" to make you invincible and able auto kill your opponents online. Used properly, they are undetectable. They are like rootkits, but much worse in this case, where they piggyback (hook) into the application's runtime at startup only. You could scan the executable when it's not running, without ever being able to find it presence.

        They usually put it in a folder in some inconspicuous place where no one ever looks!

        Start your game and the aimbot is inserted into the running application. Your Screensaver on a Mac and this malware starts with it only hooking into the malware program at that time. Stop your screensaver and it's gone!.....so for Apple this is a major problem and a good reason to buy something like Symantec's Suite for Mac (or other protection suite)!

        http://buy.norton.com/estore/mf/productDetails/productSkuCode/14551955/

        Diabolical??? ....is a mild term for this type of intrusion! :O
        i2fun@...
      • Note!

        @HypnoToad72 So what I'm saying is that the malware only works when the application is loaded into memory. When it's closed down, it's GONE!

        Windows users have had to deal with this type of scamware for a long time. But maybe not to this diabolically evil degree
        i2fun@...
      • Deactivate the screen saver it does not stop reread the article.

        i2fun@... The spy-ware has to be deactivated not the screen saver. The spy ware is run after you install the screen saver but has nothing to do with the screen saver after it is installed. All this is stated in the article
        dougogd@...
      • @dougogd

        Yeah.... I realize that, but I've just revealed that I've used Aimbots!!! haha... ...but I've given malware writers on new life with this idea of kernel hooking. If Apple's users just trust Apple and the Mac platform too much, they'll open themselves up to requiring installing 3rd party anti-malware software and firewalls. So now Mac is really in the same boat as Windows.

        Scary to think about kernel hooked malware. Then who do you trust? Anybody could get away with it as a new type of viral attack!
        i2fun@...
    • As I said earlier...

      ... but for some reason it was deleted?
      @Maarek Rebuke WHAT?? That only idiots install strange free software on their system? And that they can't protect them from themselves?

      There is not one - ZERO - documented case of any malware successfully installing/infecting/attacking an OS X Mac. EVER. It takes a moron to install the software on their own machine.

      Apple's aren't susceptible to Malware, only Idiot-ware.
      JoeBob_z
      • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

        @JoeBob_z

        The only way to idiot proof OSX would be to lock down the OS and require everything to be installed via the iStore;

        Somebody asked Steve Jobs about that and he turned it down flat.

        If people want to install "free" software with trojans in it, Apple won't stop them.

        And I have to say, I prefer it that way.
        Jkirk3279
  • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

    @OS Reload
    A digital signature cant be falsified? Man who would knew. And just who watches the people in charge of trusted repositories? You mean no one can fake a trusted repositories? Listen if people were interested in using Linux they would be already,but the cost is too high to switch. No one wants to waste the money they have spend only to find out its not supported by Linux because of patents.You actually think consumers care what your excuses are??
    Stan57
    • Trusted software repositories.

      @Stan57

      The way you managed to miss that part is quite a feat in itself.
      OS Reload
    • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

      @Stan57
      I wouldn't trust it either. Repositories have been hacked several times over, some being down for months at a time.
      Loverock Davidson
    • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

      [i]I wouldn't trust it either. Repositories have been hacked several times over, some being down for months at a time.[/i]

      @Lovey, do you have any proof of this? Or are you spouting off again?

      Please cite your example.
      ubiquitous one
  • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

    @OS Reload: Are you suggesting that Linux remain a walled garden, where you can only install approved apps?
    msalzberg
    • There are no walled gardens in Ubuntu

      @msalzberg

      Everyone can participate in the Ubuntu community and become a software maintainer. That means all software has a chance to be included in Ubuntu's <b>trusted</b>, curated software repository, even proprietary software has its own section.
      OS Reload
  • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

    @OS Reload
    Why, yes. If, just hypothetically, Apple had a distribution system for the software they approved - a sort of "app store", if you will - then surely everyone would be completely happy with the way that they ran it, and we could trust them not to do anything stupid like ban the use of Flash.
    thegasman
    • Flash is one of the....

      @thegasman
      Most inefficient programs ever devised by the mind of man. Even on my eight processor Mac Pro, it keeps all its cores busy to about 30%, just playing a video. An H.264 encoded video, playback in QuickTime, barely registers 5%, two or three cores at a time in the activity monitor graph.

      All Adobe programs have always been a resource hog. Flash is no exception. It appears to be worse than the others. The Adobe PDF reader also takes a long time to load compared to Apple's preview application. It seems that at Adobe nobody knows how to write efficient software, or they don't care even the least little bit, how their programs perform in anything other than Windows. Apple could have done no better thing, than to exclude flash from its mobile devices.
      arminw
    • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

      @thegasman
      Arminw, perhaps you should get a PC; I have several single-processor machines that run Flash fine. Or maybe you need a 16-processor Mac....

      Banning an inefficient program is typical Apple behavior; just let the sheep have what Apple deems appropriate, and they'll obediently follow and even help justify it by finding reasons to do so.
      garyleroy@...
    • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

      @garyleroy@... Talk about tunnel vision. What a ridiculous response.

      A lot of people buy Macs to specifically get away from windoze and it's associated bloatware. If anything, not banning Flash is just a tacit sheeple acceptance for substandard programs that refuse to bring out new innovations to the public.<br><br>To buy a multi-core PC machine just to cater to Flash has to be some the lamest reasoning I've read here yet... Unless you were being sarcastic. Hmmm?
      ubiquitous one
    • I can see why people hate Flash on the Mac, actually

      Due to the fact that Apple refuses to actually work with Adobe, unlike Microsoft who hasn't hindered Flash on Windows, the product is somewhat substandard. But, hey, it's Adobe's fault, right? They should find a way around not having everything they need to make an efficient OSX Flash.
      Michael Alan Goff
    • RE: Malware Watch: Free Mac OS X screensavers bundled with spyware

      @thegasman

      Oh, AND we can be SURE nobody would whinge and complain about Apple being too controlling !

      Because nobody dislikes Apple for irrational reasons.
      Jkirk3279